How ThingsBoard linked/refer the device in the system? - device

This is not exactly a problem I am facing. This is more of a clarification/explanation I am looking for, but not getting any clear answer.
In ThingsBoard (IoT platform) when a device is registered, user gives a unique name to it. The system automatically generate (and probably attach) a 'device Id' to it. There is also another information linked to a device, that is device's 'access token', which can be system generated or user can create one manually. When data is sent to the system, we need 'access token' to access the system, along with 'hostname'. The data is registered in the DB (postgreSQL in this case) for each device with its 'entity_id' which is actually the 'device Id' that system generates. So, these THREE:
(1) user given device name
(2) system generated 'device Id'
(3) system generated or user created 'access token'
seems linked.
While identifying a device in Rule Engine, or in other setting inside the TB system, I could simply identifying them as their names I have given. But the device itself does not know by which name it is identified in the system. How the system knows that which data is coming from which device? So, my guess is that above mentioned THREE information are linked. Could anyone please confirm/clarify about it? Or how ThingsBoard's inside system worked about this device identification.
Thanks.

Related

Intune Enrollment Standard Users

I am trying to enroll about a 100 systems in Intune. I want the user to be signed in as a standard user. I searched and found the only way to do this will be using AutoPilot. Thats is just not possible, It requires a factory reset device and a hardware hash for each device.
The other way they say is to run a Powershell script. That option won't work because I want only the one microsoft account on the system. Windows needs at least one Admin account.
I simply want the normal user to be a standard account and in case he needs admin privileges I can connect and type in cloud device administrator's credentials to give him access. However, I cannot find anyway to get this done, kind of hard to believe this is so difficult to do. Any suggestions?

Solana Program Executable Data Account

I'm currently learning Solana development with Rust.
I'm trying to understand why do we have a Program Account and a Program Executable Data Account. I already know that the Program Account contains a reference to a Program Executable Data Account, and that the latter contains the actual code.
My question is why do we have to split the actual code from the Program Account into a separate account? My initial thoughts were:
Maybe this has to do with being able to upgrade your program code. Maybe when you upgrade your program, a new Executable Data Account is created and the reference in the Program Account is updated.
That is not the case, since after upgrading a program, the reference (the address) to the Executable Data Account is the same.
Maybe this has to do with ownership of accounts. Maybe one account is owned by the developer and the other by the BPF Program.
That is neither the case because both accounts are owned by the BPF Program, and the developer is just the Upgrade Authority
Why do we need 2 accounts for a program? Why not store the actual code in the data slot of the Program Account?
I hope this makes sense.
I'm not 100% sure if this is the reason, but it may have to do with immutability of program accounts. The runtime enforces that program accounts are totally immutable, but when you upgrade a program, the data changes, of course. By putting it all in a separate account that is updated, you can get around that restriction.
If the original account pointed to a different data account, and we swapped data accounts on upgrade, then the runtime enforcement would break, since the public key would be modified.
A Program account (key) is the address of the Program executable. The Program executable is where the BPF code is and it is immutable unless the owner deployed with the upgradable BPF loader:
solana program deploy ...
The owner can upgrade the program using the same address
vs
solana deploy ...
When you upgrade you are using a different address. This means that the original program still exists. I believe this deployment approach is being considered for removal
Whatever way you deploy, the Program does not contain any other data and of course it can't modify its own program byte code. However; Programs can operate on the data of user accounts when the user account was created with the Program ID'd as the "owner"

get Device identifier from Android Device Policy

We are trying out the EMM MDM app using Android Enterprise.
So we enroll using Android Enterprise in Fully managed mode.
We'll be having a per device policy mechanism, so every device will have a separate policy.
Now at the start, we don't have any info about who's the user, so we apply the default policy and then during setup (using setupActions), we open our custom app and ask the user to log in using username and password, that way we know who's the user.
The issue is, we know the user, but we don't know on which device the user has logged into since we can't query IMEI/SerialNumber (https://developer.android.com/training/articles/user-data-ids#best-practices-android-identifiers)
The issue is we make users log in from our app but in AndroidEnterprise, the device name is different.
We want to create a mapping of username <---> device info from AE.
Can we query the Android Device Policy app someway to get any identifier so that we can map deviceId <---> username?
or any other suggested way?
We can not send deviceName or anything in Managed configuration since, at that time, the user is not enrolled in AnroidEnterprise thus, we don't have that info. see ref
Also, anyone knows how can we interact with Android Device Policy somehow? to know which policy is applied? etc.
From Android 10 to read device Identifiers numbers, it required READ_PRIVILEGED_PHONE_STATE permission. However, apps installed from the Google Play Store cannot declare privileged permissions.
If you work with Android Management API, you can set policy DelegatedScope: CERT_INSTALL for your application to have a special permission that access to certificate installation and management. So that we can use READ_PHONE_STATE permission on your app's manifest.
From your application, you can got IMEI/SerialNumber
From your default policy, you have to set delegate scopes for your application
"applications": [
{
"packageName": "your-app-package-name",
"delegatedScopes": [
"CERT_INSTALL"
]
}
]
device.list can be used to check the list of devices enrolled in a specific enterprise, while devices.get may be used to check the details of a specific device. You may want to check this link for the list information you may get using device.get.

Script to run at first logon in OS X to "call home"?

I sell Macs and i'm looking for a way for our security and to combat purchase fraud to have the machines phone home the first time they are booted up to show that machine has been in use at the clients IP address.
Now I know the client might set the computer up at a location other than their home and could spoof their IP (although the potential scammer wouldn't realise this system was in place so wouldn't be expecting to do this) but any system is better than no system.
In terms of privacy we'd put it in our privacy policy but of course we're not looking to collect any information from the user apart from their IP address and the script should delete once its connected to the internet for the first time.
How would users recommend the best way to do it? I have full access to the computers before hand and we already launch a script on first boot of user account to show a welcome and help guide - so we could add simple scripting there, but maybe a helper program which attempts until internet connection is first established, makes contact and deletes itself is best.
And of course we'd need a two pronged approach, a URL or API of some sort on our server that the computer connects to. Ideally the information to send would be the serial number and the IP address of the user, the MAC address could be useful too - as often if fraud has been committed the police will also check to see if the original MAC address of the system has connected via the ISP server logs.
I suppose the final piece of the puzzle would be that our logged data would somehow need to prove it was sent from that computer and not just generated ourselves in a database (eg we haven't just pretended its connected from their IP we've picked up from an e-mail address or something) i'm not sure if there would be any secure legal way to do this?
=============
Edit: Thinking of ways to make it legally binding in terms of presenting the information to the police or the courts I think the receiving server would need to be hosted and maintained by an independent third party whom you had a contract with and didn't allow you any write access to the information what so ever, all you could do is visit a website and pull up the data to pretend the evidence to the police.
(I seem to have been voted down because someone likes committing fraud?)
I have looked into similar solutions for macbooks in the past with little luck. One thing I have found however, if you have a web server, is to create a php page in an obscure hidden directory that will capture the ip address and send an email on access. From here you can create a page specific to each computer with MAC and serial number and set this as safari's homepage in a different tab. So every time someone attempts to access the internet you will be notified.
(This php page can be a simple blank page that just looks like a new tab, or can even display warnings such as "You are being tracked")
You could also create a python script on startup to send the information you are looking for such as ip, mac and serial number back, but again you would need another server setup as a listener.
And lastly, if possible, create a business account in icloud and use Find My Iphone/mac. This is probably the easiest if you can get away with it but unfortunately will not provide you with instant notifications.
-M

What actually is an Installation ID in analytics?

In my Mac app, I first call [Parse setApplicationId:myAppID clientKey:myClientKey]; to set things up.
Then I do [PFAnalytics trackAppOpenedWithLaunchOptions:nil]; and then things like [PFAnalytics trackEvent:#"myCustomEventName"]; all over my app.
Finally, I log into my Parse.com account, go into Explorer -> Make a table, choose Custom Events and click Run Query. Now I get a table of all of my events.
One of the columns is "Installation ID". What exactly is this? Is it tied to the machine's unique identifier, i.e., the serial number of the Mac?
Note that I'm only using analytics (for free) and the above API is the only API I use.
It's a parse generated identifier which is unique to a particular device. Each device has its own installation instance in the database, which you can see in the web interface if you create a custom subclass of Installation (in the same way you would for a user).
The installation id may or may not be tied to a 'real' device value, but you shouldn't make any assumptions about it.

Resources